Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

RDS DB Instances Deletion Protection Enabled Rule

This rule ensures that RDS DB instances have deletion protection enabled for data security.

RuleRDS DB instances should have deletion protection enabled
FrameworkNIST 800-53 Revision 5
Severity
Critical

Rule Description:

RDS DB instances should have deletion protection enabled to ensure compliance with NIST 800-53 Revision 5 security requirements. Enabling deletion protection helps prevent accidental or malicious deletion of DB instances, providing an additional layer of protection and ensuring the integrity and availability of sensitive data.

Remediation Steps:

  1. 1.
    Open the AWS Management Console and navigate to the Amazon RDS service.
  2. 2.
    Select the desired region from the top right corner of the console.
  3. 3.
    In the left sidebar, click on "Databases" to view your existing RDS instances.
  4. 4.
    Identify the RDS DB instances that need deletion protection enabled.
  5. 5.
    Click on the DB instance name to access its configuration settings.
  6. 6.
    Under the "Settings" section, locate the "Deletion protection" option.
  7. 7.
    Ensure that the toggle switch for deletion protection is set to the "Enabled" position.
  8. 8.
    If the deletion protection is disabled, click on the toggle switch to enable it.
  9. 9.
    Review any warnings or notifications related to enabling deletion protection and proceed if no issues are reported.
  10. 10.
    Click on the "Apply immediately" button to save your changes and enable deletion protection for the RDS DB instance.
  11. 11.
    Repeat steps 5-10 for each RDS DB instance that requires deletion protection.

Troubleshooting Steps (if applicable):

If the deletion protection toggle switch is grayed out or not clickable, it might indicate that the DB instance has automated backups disabled or automated backups are retained only for a specific duration. In such cases, follow these steps to resolve the issue:

  1. 1.
    Open the AWS Management Console and navigate to the Amazon RDS service.
  2. 2.
    Select the desired region from the top right corner of the console.
  3. 3.
    In the left sidebar, click on "Databases" to view your existing RDS instances.
  4. 4.
    Identify the RDS DB instance that has deletion protection disabled.
  5. 5.
    Click on the DB instance name to access its configuration settings.
  6. 6.
    Under the "Backup" section, locate the "Backup retention period" option.
  7. 7.
    Check that the automated backup feature is enabled by having a non-zero value set for the backup retention period.
  8. 8.
    If the backup retention period is set to zero, it means automated backups are disabled. Enable automated backups by specifying a value greater than zero.
  9. 9.
    If the backup retention period is set but still not allowing deletion protection, try modifying the backup retention period by specifying a different value.
  10. 10.
    Save the changes and attempt to enable deletion protection again following the previous remediation steps.

Note: If the issue persists or you encounter any other error, it is recommended to consult the AWS documentation or contact AWS Support for further assistance.

Relevant AWS CLI Command (if applicable):

There is no specific AWS CLI command for enabling deletion protection on an RDS DB instance, as this configuration is done through the AWS Management Console. However, you can use the AWS CLI for other AWS operations related to RDS instances, such as creating, modifying, or managing backups.

Please refer to the AWS CLI RDS documentation for a comprehensive list of available commands and their usage.

Compliance:

Enabling deletion protection for RDS DB instances ensures compliance with NIST 800-53 Revision 5 security requirements, specifically control AC-4(5), which states that "The organization [AWS user] disables the capability for [DB instances] to be directly deleted by organizations [AWS users] without the intervention of [AWS indigenous] individuals." By enabling deletion protection, accidental or unauthorized deletion of RDS DB instances can be prevented, addressing the security control requirement.

Is your System Free of Underlying Vulnerabilities?
Find Out Now